Zenarmor - Syn flood has been detected.

Started by allebone, April 28, 2024, 07:41:48 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
November 03, 2024, 09:41:53 PM #15
But as you say it happens periodicaly at the same day and time most likely its some kind of automatization or tool. Do you use NMAP or NetAlertX or PiAlert?


In 1.18 release the synflood detection should as well show the device causing this. Use that info in order to find what device is causing it.
Quote
Improvement: The SYN Flood detection capabilities have been enhanced to provide additional details, such as synflood top actors, MAC addresses, and local and remote IP addresses.

https://www.zenarmor.com/docs/support/release-notes


Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
November 09, 2024, 01:08:32 AM #16
I get these as well regularly, but if it is an attack:

The attacker is flooding your system starting connections, but leaving the session hanging halfway, leaving the firewall waiting for the other side to finish building the connection. Do this from a single address (DOA) or multiple addresses (DDOS).

That being said: I don't actually believe ZA is detecting this properly, as this type of attack to home firewall (in my case) correctly. Why would an attacker SynFlood random users?

The number of 'me too' messages makes me thing ZA is a bit trigger happy maybe?
Running OPNsense on a Deciso DEC750 with upgraded memory (16GB ECC) and active cooling
November 10, 2024, 12:24:36 AM #17
You are correct on that matter, there seems to be a BUG.

For Example, when you run nmap scanner and block all the ports on OPNsense. ZA keeps the connections but OPNsense drops them. What happens here is that ZA keeps them the TCP Syn, bud there never will be a handshake because the traffic is blocked.

Syncache will grow and ZA starts to report this as synflood. This starts to eat as well into memory and SWAP. Basically ZA is not identifying this correctly, creates false positives and cause resources drain if the synflood feature is enabled.

I was able to reproduce this behavior Exactly as described above. If you scan just one IP like this you will eat out all the syncaches, subsequent scanning will cause resources drain.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
November 11, 2024, 01:57:18 PM #18
Hi,

Zenarmor has an algorithm to detect syn attack which is checking the syncache and check its deployment size. There is a threshold according to deployment size and decide if there is an anomaly with the syncache or not. And report the host(s) that has top syn sessions. It couldn't be an attack but should be an anomaly with the host(s). You can check syncache value in /usr/local/zenarmor/log/stat/memstat*.log


Print
Go Up Pages 1 2
User actions